On Tue, Apr 24, 2012 at 09:06:52AM -0400, Jeff Blaine wrote:
> How are people provisioning host principal keytabs in
> large quantities? I've never really seen anyone discuss
> this. It's not 1988 anymore ;)
I've written some tools that are in use at a couple of places which
have reasonably large Kerberos installations. They are open source
and available via http://oskt.secure-endpoints.com/ and deal with
automating Kerberos management amongst other things. At this point,
some of the high level documentation is a little light (i.e. the
documentation is in the man pages rather than on the web pages).
The tools that are of interest for this problem are krb5_keytab/krb5_admin.
They handle host key bootstrapping and service key provisioning.
At the moment, I have mainly been using Heimdal so the head of the
tree may not quite work on MIT Kerberos but it could be fixed
relatively easily as it was all first developed linking against
For host key provisioning, the tools support a two step process
where a host will first ask for a randomised bootstrapping key and
then use that credential to ask for its host key at a later point
after an externally defined process ACLs that bootstrapping key to
the hostname in question. The externally defined process is site
specific and should include whatever logic makes sense in the site
to provide the security assurances that are desired.